Problem:
A shared folder has been created and permissions allocated, but members of the designated group cannot access the folder.
Cause:
This issue commonly arises when the Samba share is configured by manually editing /etc/samba/smb.conf instead of using the Univention Management Console (UMC) or Univention Configuration Registry (UCR). In Univention Corporate Server (UCS), direct modifications to configuration files are not persistent. The system uses a template-based approach where UCR variables generate active configuration files. Manual changes may be overwritten during updates or when UCR variables are committed, leading to inconsistent access rights.
Solution:
1. Revert Manual smb.conf Changes and Regenerate Configuration
To ensure a consistent configuration:
-
Revert any manual modifications by regenerating
smb.conffrom UCR templates:ucr commit /etc/samba/smb.conf -
Restart the Samba service to apply the changes:
/etc/init.d/samba restart
2. Correctly Create and Manage Samba Shares via UMC
Use the Univention Management Console to manage shares and permissions consistently:
-
Log in to the UMC and navigate to Domain > Shares.
-
Select the share and click Edit, or create a new share if necessary.
-
In the General tab:
- Verify the Directory owner group (e.g., “Domain Users”) and basic permissions.
-
In the Samba Permissions tab:
- Ensure the correct users or groups are listed in valid users/groups (groups prefixed with
@). - Enable Samba write access and Users with write access may modify permissions, if required.
- Ensure the correct users or groups are listed in valid users/groups (groups prefixed with
-
Under Advanced settings > Samba extended permissions:
- Enable NT ACL support and Inherit ACLs for Windows-style permission management.
For detailed guidance, refer to the UCS Manual, “File share management” and specifically 12.2.3 Shares UMC module – Samba tab:
https://docs.software-univention.de/manual/5.2/en/shares/index.html
Note: Only use UMC for configuring the root directory of a share. Direct filesystem edits will be overwritten by UCS.
3. Further Troubleshooting (if issues persist):
-
Verify AD-compatible Domain Controller: Ensure the “AD-compatible Domaincontroller” app is installed via UMC AppCenter.
-
Check Linux File System Permissions (POSIX ACLs): Even with correct Samba permissions, restrictive POSIX ACLs may block access:
getfacl <path> -
Validate Samba Configuration:
testparm -s -
Test Share Access from Server:
smbclient //localhost/<sharename> -U <username>%<password> -
Review Log Files:
- Samba logs:
/var/log/samba/log.samba,/var/log/samba/log.smbd,/var/log/samba/log.nmbd - UCS logs:
/var/log/univention/
- Samba logs:
References:
- Univention Configuration Registry: https://docs.software-univention.de/manual/5.2/en/computers/ucr.html
- File share access rights: https://docs.software-univention.de/manual/5.2/en/shares/index.html